Screen OS

Hi,

I am moving away from an old iptables linux box firewall setup I had going on and was trying to replicate the setup on a SSG 5. I currently have a /29 IP range from my DSL provider which I can get working easy enough using a PPPoE profile mapped to an interface. I can also setup all of the NAT/DMZ bits that I had before but the one part I can't work out is how to give another device on my network an IP in my untrust range.

On the linux box I created a bridge device, bound two NIC's to it and enabled proxy arp. I have tried to replicate this on the SSG5 but to no success.

For this example lets say I was given 100.1.1.1/29, I use .1 as the SSG 5 untrust IP and .2 as my extra device IP.

Currently I have configured a bgroup0 which uses e0/3 and e0/4. I have my DSL modem connected to e0/3 and the PPPoE profile mapped to the bgroup0 interface. This works fine. I then plug in my other network device to e0/4 and assign it an IP from the static range.

If I run a get arp on the SSG5 I see the IP and MAC address of the device being listed in it's arp table. I can't however ping it from the SSG5 or from the other device going back to the SSG5.

I added an Untrust Intra-Zone policy which just says any -> any allow and log. I can see log entries being generated here. 

I guess the first question is can the SSG5 handle the setup I'm trying to achieve? If so am I going about it in the correct way? I know I can subnet out the /29 range and route traffic to another interface but then I'd loose an extra IP of the 5 available as another gateway. Also I'd like to do this without any NAT at all if possible.

I ran a debug of a ping from .1 going to .2 and it looks like the packet just goes round in circles!

Thanks

: in <bgroup0>, out <N/A>
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 100.1.1.1->100.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 0 for 100.1.1.2
add route 26 for 100.1.1.2 to route cache table
[ Dest] 26.route 100.1.1.2->100.1.1.2, to bgroup0
routed (x_dst_ip 100.1.1.2) from bgroup0 (bgroup0 in 0) to bgroup0
policy search from zone 1-> zone 1
policy_flow_search policy search nat_crt from zone 1-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 100.1.1.2, port 13014, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 41/18/0x9
Permitted by policy 41
No src xlate choose interface bgroup0 as outgoing phy if
no loop on ifp bgroup0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <bgroup0>
existing vector list 1-4519744.
Session (id:8047) created for first pak 1
flow_first_install_session======>
route to 100.1.1.2
bypass L2 prepare if, nsp ready.
ifp2 bgroup0, out_ifp bgroup0, flag 00002800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (bgroup0, 100.1.1.2->100.1.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
cached route 27 for 100.1.1.1
[ Dest] 27.route 100.1.1.1->100.1.1.1, to bgroup0
route to 100.1.1.1
bypass L2 prepare if, nsp ready.
ifp2 bgroup0, out_ifp bgroup0, flag 00002801, tunnel ffffffff, rc 1
flow got session.
flow session id 8047
flow_main_body_vector in ifp bgroup0 out ifp bgroup0
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20020, vlan 0
pak has mac
Send to bgroup0 (150)
****** 04805.0: <Untrust/bgroup0> packet received [128]******
ipid = 21774(550e), @039e87b8
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:100.1.1.1/9464->100.1.1.2/1024,1(8/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 8031
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (150)
****** 04805.0: <Untrust/bgroup0> packet received [128]******
ipid = 21779(5513), @039edfb8
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:100.1.1.1/9564->100.1.1.2/1024,1(8/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 8047
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (150)
****** 04805.0: <Untrust/bgroup0> packet received [128]******
ipid = 21774(550e), @039ee7b8
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:100.1.1.1/9464->100.1.1.2/1024,1(8/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 8031
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (150)

I think you need to turn off the proxy arp.

In this case you are putting the server directly  onto the public address on the bridge group switch and NOT behind the SSG.  So the server will not need a proxy arp, it is able to arp for itself on the bridge group.

A more standard setup for this would be one of two configurations.

Layer 3

Move the server to a DMZ and use the MIP or destination nat functions to forward the public address to the server.  The SSG will then proxy arp for the server and you write access rules on what is permitted to connect.

Transparent

Put the SSG into transparent mode.  The public address would go onto vlan1 and your server and other devices would all need to be in this same segment.  The server connects to the layer 2 trust port and the incoming internet service to the layer 2 untrust port.  Again you write policies for what layer 2 traffic is permitted or blocked.  No proxy arp is needed as every device answers for itself.

Thanks for the reply,

Ideally I'd like to not use any kind of NAT, the other devices will be an SRX100b and a SIP gateway.

I had read about transparent mode but the problem I found was where do I assign my PPPoE profile. It can only be bound to a BGroup or a L3 interface right?

Hi,

You should allow an overlapping addressing on the VR (assumed this is trust-vr):

set vrouter trust-vr ignore-subnet-conflict

Assign 100.1.1.2/29 to a free interface on this VR (eg DMZ). The IPs 100.1.1.3-100.1.1.6 can be assigned to the hosts in DMZ zone. The DMZ interface should be in the route mode to avoid the interface based NAT.

This worked great.

Thanks for your help

I'm trying to achieve the same setup as you. So far unsuccesfully.

Could you tell me how you got this working?

SpykeSecurity, Edouard's post summed up what you need to do.  I got this setup on an SSG140 but it does come with some caveats.  You can read my findings here if they are of help.